Questions with respect to privacy and new technological developments Bart van der Sloot Institute for Information Law, University of Amsterdam, Netherlands

3 Questions (1) Is the concept of personal data still relevant? (2) Can we still regulate the gathering of/access to data? (3) Are the privacy responsibilities a problem for the development of new product?

(1) Is the concept of personal data still relevant? ‘personal data means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person’

(1) Is the concept of personal data still relevant? However, it is also possible to influence people or have an impact on their lives by using non-personal, aggregate and meta data While the status of a datum (personal - non-personal; sensitive - non-senstive; content –meta data; identifying – anonymous; specific – aggregated; etc.) used to be relatively stable, these are currently rather fluid stages. Should we move to a more neutral terminology?

(2) Can we still regulate the gathering of/access to data? Most of the current privacy and data protection rules focuss on gathering and storing data: Purpose and purpose limmitation Safety and confidentiality Quality and transparancy Data minimalisation and storage limmitation

(2) Can we still regulate the gathering of/access to data? In practice, however, we see that citizens, companies and states alike gather large amounts of data. Can we instead or in addition also regulate: The analysis of data The use of data

(3) Are the privacy responsibilities a problem for the development of new product? The current legal regime mostly lays the responsibility for upholding the legal safeguards on one or a few selected organisations. ‘Controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law’

(3) Are the privacy responsibilities a problem for the development of new product? In practice, however, we see that data streams are increasingly shared between departments, between organisations and crossing national borders. Data are combined, cross-pollinated with online/open-access data and harvested by algorithms. In such a diffuse situation, who is and should be responsible for upholding the legal obligations? Can the responsibility still be placed on one or a few organisations?

Three potential problems: (3) Are the privacy responsibilities a problem for the development of new product? Three potential problems: (1) Unclearity about division of responsibilities (2) New and stricter norms in General Data Protection Regulation (3) New and stricter norms on transnational data flows